I will indulge in a rathole, in part, because I do think it represents an
important philosophical category for WSC participants, so that being
explicit about it and airing it will be a good thing long term for
discussions and consensus.
> The reason that we tend to obsess at 100% is that cryptography
> allows us to be pretty good at some aspects of technical security.
I have another view about why 100% is important to some security people.
It's because, in security, anything less than 100% represents the
opportunity for attack. It is a vulnerability. Security people naturally
don't want vulnerabilities,and particularly don't want to be responsible
for any vulnerabilities. Even if the action they take represents, as you
put it, a risk reduction. It can be difficult, both personally and
organizationally, to be proud of and promote the risk reduction, while
bearing the responsibility for some of the subsequent risk. And that's
even if you're lucky enough to be able to articulate the risk reduction
clearly. Not that you've got a hope of being able to actually prove it.